News

Microsoft addresses TrueType, Windows vulnerabilities

Jeremy Stanley

Coming off a light June, administrators have a busy month ahead of them with patches touching just about every version of Windows and Windows Server. But the focus will be on the workstation.

The updates in July's Patch Tuesday address a total of 34 vulnerabilities. All six critical bulletins include

    Requires Free Membership to View

fixes for remote code execution vulnerabilities.

The most critical bulletin includes fixes for eight vulnerabilities in Windows kernel-mode drivers. The vulnerabilities can be exploited if users read certain content with TrueType font. It is one of three critical bulletins that include fixes for TrueType font vulnerabilities. TrueType fonts are handled in three different places: Silverlight, graphic rendering and the Windows kernel.

By exploiting TrueType on a system level -- via the kernel -- attackers can obtain system administrator privileges, said Wolfgang Kandek, CTO at Qualys Inc., an IT security firm based in Redwood Shores, Calif.

Another critical bulletin fixes 17 reported Internet Explorer (IE) vulnerabilities. Attackers can take advantage of these vulnerabilities and gain users' rights if users view certain webpages with IE.

"Browsers continue to be the focus for the security researchers," said Kandek, and "the ones who want to take over the machines."

This is the second month in a row with fixes for a high number of IE vulnerabilities. In June, the Patch Tuesday updates included fixes for 19 IE vulnerabilities.

Kandek speculated the security bounty program Microsoft introduced late last month could play a role in fixes found in the future, but it's unlikely any fixes made its way into this Patch Tuesday.

While IE 11 is better and more secure, "there continue to be ways to exploit it, and ways to make it do an attacker's bidding," said Kandek.

There are also critical fixes for vulnerabilities found in Microsoft DirectShow and Windows Media format, which can be exploited if users open specific image or media files.

Other critical bulletins address vulnerabilities in .NET Framework and Silverlight if applications use a certain line of code designed to gain users' rights.

July's lone important bulletin fixes an elevation of privilege vulnerability found in paths in Windows Defender on Windows 7 and Windows Server 2008 R2.

This month's Patch Tuesday updates follow the year's trend of an increase in monthly fixes. July's fixes bring the yearly total up to 58 bulletins, up from 51 at the same time last year.

Assistant Site Editor Toni Boger contributed to this report.


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: